US10909042B1 - Prevention of hash-based API importing - Google Patents
Prevention of hash-based API importing Download PDFInfo
- Publication number
- US10909042B1 US10909042B1 US16/516,827 US201916516827A US10909042B1 US 10909042 B1 US10909042 B1 US 10909042B1 US 201916516827 A US201916516827 A US 201916516827A US 10909042 B1 US10909042 B1 US 10909042B1
- Authority
- US
- United States
- Prior art keywords
- page
- name
- address
- array
- guard
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 230000002265 prevention Effects 0.000 title description 2
- 238000000034 method Methods 0.000 claims abstract description 29
- 230000006870 function Effects 0.000 claims abstract description 18
- 230000004224 protection Effects 0.000 claims abstract description 8
- 230000000977 initiatory effect Effects 0.000 claims abstract description 6
- 238000004422 calculation algorithm Methods 0.000 claims description 28
- 230000008676 import Effects 0.000 description 9
- 238000010586 diagram Methods 0.000 description 8
- 230000008569 process Effects 0.000 description 7
- 238000004590 computer program Methods 0.000 description 6
- 239000008186 active pharmaceutical agent Substances 0.000 description 5
- 238000004891 communication Methods 0.000 description 5
- 230000003993 interaction Effects 0.000 description 4
- 238000012545 processing Methods 0.000 description 4
- 238000003491 array Methods 0.000 description 3
- 230000006399 behavior Effects 0.000 description 3
- 230000008901 benefit Effects 0.000 description 3
- 238000004458 analytical method Methods 0.000 description 2
- 238000013459 approach Methods 0.000 description 2
- 238000004364 calculation method Methods 0.000 description 2
- 230000008859 change Effects 0.000 description 2
- 239000004973 liquid crystal related substance Substances 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 238000005457 optimization Methods 0.000 description 2
- 230000001953 sensory effect Effects 0.000 description 2
- 230000003068 static effect Effects 0.000 description 2
- 230000001052 transient effect Effects 0.000 description 2
- 230000000007 visual effect Effects 0.000 description 2
- 238000007792 addition Methods 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 238000002347 injection Methods 0.000 description 1
- 239000007924 injection Substances 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
- 239000002699 waste material Substances 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F12/00—Accessing, addressing or allocating within memory systems or architectures
- G06F12/02—Addressing or allocation; Relocation
- G06F12/08—Addressing or allocation; Relocation in hierarchically structured memory systems, e.g. virtual memory systems
- G06F12/10—Address translation
- G06F12/1009—Address translation using page tables, e.g. page table structures
- G06F12/1018—Address translation using page tables, e.g. page table structures involving hashing techniques, e.g. inverted page tables
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F12/00—Accessing, addressing or allocating within memory systems or architectures
- G06F12/14—Protection against unauthorised use of memory or access to memory
- G06F12/1416—Protection against unauthorised use of memory or access to memory by checking the object accessibility, e.g. type of access defined by the memory independently of subject rights
- G06F12/145—Protection against unauthorised use of memory or access to memory by checking the object accessibility, e.g. type of access defined by the memory independently of subject rights the protection being virtual, e.g. for virtual blocks or segments before a translation mechanism
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/30—Arrangements for executing machine instructions, e.g. instruction decode
- G06F9/30003—Arrangements for executing specific machine instructions
- G06F9/30007—Arrangements for executing specific machine instructions to perform operations on data operands
- G06F9/30036—Instructions to perform operations on packed data, e.g. vector, tile or matrix operations
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/30—Arrangements for executing machine instructions, e.g. instruction decode
- G06F9/30003—Arrangements for executing specific machine instructions
- G06F9/30072—Arrangements for executing specific machine instructions to perform conditional operations, e.g. using predicates or guards
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/46—Multiprogramming arrangements
- G06F9/50—Allocation of resources, e.g. of the central processing unit [CPU]
- G06F9/5005—Allocation of resources, e.g. of the central processing unit [CPU] to service a request
- G06F9/5011—Allocation of resources, e.g. of the central processing unit [CPU] to service a request the resources being hardware resources other than CPUs, Servers and Terminals
- G06F9/5016—Allocation of resources, e.g. of the central processing unit [CPU] to service a request the resources being hardware resources other than CPUs, Servers and Terminals the resource being the memory
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/46—Multiprogramming arrangements
- G06F9/54—Interprogram communication
- G06F9/541—Interprogram communication via adapters, e.g. between incompatible applications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F12/00—Accessing, addressing or allocating within memory systems or architectures
- G06F12/02—Addressing or allocation; Relocation
- G06F12/08—Addressing or allocation; Relocation in hierarchically structured memory systems, e.g. virtual memory systems
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2212/00—Indexing scheme relating to accessing, addressing or allocation within memory systems or architectures
- G06F2212/10—Providing a specific technical effect
- G06F2212/1052—Security improvement
Definitions
- the subject matter described herein relates to techniques for preventing malicious software associated with resolving the location of operating system application programming interfaces (API).
- API application programming interfaces
- Microsoft WINDOWS provides an application programming interface (API) in the form of dynamic link libraries (DLLs). These DLLs are specified by the Portable Executable (PE) file format which provides metadata for the various API functions. Programs rely on the various APIs provided by Microsoft WINDOWS in order to provide useful functionality for the user.
- API application programming interface
- PE Portable Executable
- Hash-based application programming interface (API) importing can be prevented by allocating a name page and a guard page in memory.
- the name page and the guard page being associated with (i) an address of names array, (ii) an address of name ordinal array, and (iii) an address of functions array that are all generated by an operating system upon initiation of an application.
- the name page can then be filled with valid non-zero characters. Thereafter, protections on the guard page can be changed to no access.
- An entry is inserted into the address of names array pointing to a relative virtual address corresponding to anywhere within the name page. Access to the guard page causes the requesting application to terminate.
- Related apparatus, systems, techniques and articles are also described.
- the name page and the guard page can both initially be allocated with read write permissions.
- the entry can be inserted into the address of names array is inserted at a beginning of the address of names array. Further, a new entry can be inserted at a beginning of the address of name ordinals array having any value.
- the operating system can be, for example, MICROSOFT WINDOWS.
- the name page and the guard page can be adjacent in the memory.
- the filled name page can be arranged so as to not include a null terminator.
- a hash algorithm (or other algorithm) can traverse the address of names array until a pointer to the name page is selected. The hash algorithm can then first access the name page. Due to the name page being filled with values, the hash algorithm subsequently accesses the guard page after determining that the name page does not include a NULL byte signifying end of a string encapsulated therein.
- a memory access violation can be raised when the guard page is accessed.
- a vectored exception handler can catch such a memory access violation and cause the program to terminate as opposed to crashing.
- the vectored exception handler can also be configured to ignore exceptions other than the memory access violation causing the program to crash.
- a hash algorithm associated with a program traverses an address of names array until a pointer to a name page is selected. Thereafter, the hash algorithm initially access the name page. The hash algorithm subsequently access a corresponding guard page after determining that the name page does not include a NULL byte signifying end of a string encapsulated therein. The program is caused to terminate upon access of the guard page.
- Non-transitory computer program products i.e., physically embodied computer program products
- store instructions which when executed by one or more data processors of one or more computing systems, cause at least one data processor to perform operations herein.
- computer systems are also described that may include one or more data processors and memory coupled to the one or more data processors.
- the memory may temporarily or permanently store instructions that cause at least one processor to perform one or more of the operations described herein.
- methods can be implemented by one or more data processors either within a single computing system or distributed among two or more computing systems.
- Such computing systems can be connected and can exchange data and/or commands or other instructions or the like via one or more connections, including but not limited to a connection over a network (e.g., the Internet, a wireless wide area network, a local area network, a wide area network, a wired network, or the like), via a direct connection between one or more of the multiple computing systems, etc.
- a network e.g., the Internet, a wireless wide area network, a local area network, a wide area network, a wired network, or the like
- a direct connection between one or more of the multiple computing systems etc.
- the subject matter described herein provides many technical advantages. For example, the current subject matter helps thwart malicious actors from executing software which relies on hash-based importing of APIs.
- FIG. 1 is a first diagram illustrating arrays for identifying locations of API functions
- FIG. 2 is a second diagram illustrating arrays for identifying locations of API functions
- FIG. 3 is a process flow diagram illustrating preventing of hash-based application programming interface (API) import exploits
- FIG. 4 is a diagram illustrating components of a computing device for implementing aspects of the current subject matter.
- the current subject matter is directed to preventing malicious software associated with resolving the location of operating system APIs.
- the current subject matter is directed to preventing hash-based API importing.
- Imports in this context, are functions that are called from other files (such as DLL files with the WINDOWS operating system).
- WINDOWS With WINDOWS, a compiler toolchain and a WINDOWS loader runtime work together to connect a program to the appropriate API calls as specified by the developer. These connections can be resolved at program start time via the WINDOWS loader parsing the program's import table or resolved dynamically at runtime via calls (e.g., calls to LoadLibrary and GetProcAddress both of which are APIs that and must be resolved at program start time).
- a program that wants to allocate dynamic memory must call the VirtualAlloc API provided by kernel32.dll.
- the program contains an import table entry for VirtualAlloc which will be filled in with the correct address when the process initializes and the code merely references the offset of the import table in memory when calling the API.
- the alternative is to call GetProcAddress (hKernel32, “VirtualAlloc”) at runtime to get the address and subsequently call it as normal (in this case, GetProcAddress was initialized in the import table by the process loader).
- the process for resolving APIs in both the import table method (process loader) and dynamic resolution method (GetProcAddress) rely on common code implemented in LdrGetProcedureAddress to identify the correct export and find the corresponding address.
- a requested API function e.g. NtLockVirtualMemory
- the code walks down the AddressOfNames array (which contains relative virtual addresses to API names) and compares the string to the requested API function name.
- the string comparison (strcmp) (as provided below) compares the function name a single character at a time until it reaches the end of string. If any character differs along the way, the function terminates immediately instead of continuing the comparison on the rest of the string (which would be a waste of computation cycles/processing resources, etc.).
- strcmp implementation is as follows:
- NtLockVirtualMemory is in index 0xCE of the AddressOfNames and AddressOfNameOrdinals array; the value stored in the AddressOfNameOrdinals entry is 0x03 indicating the relative virtual address (RVA) of NtLockVirtualMemory is in the 3rd entry of the AddressOfFunctions array.
- RVA is added to the base address of the module to get the absolute address of the function.
- Exploit payloads do not have an import table and malicious executables avoid import table entries in an attempt to obfuscate their behavior and evade static analysis. Instead, malicious executables must manually re-implement the same behavior: GetModuleHandle is re-implemented by parsing the Process Environment Block (PEB) and dereferencing the structure PEB.Ldr.InMemoryOrderModuleList to get the first loaded module (and walk the doubly-linked list by following the Flink pointer to get the next module); with the address of the module, the payload can re-implement GetProcAddress by manually parsing the module's IMAGE_EXPORT_DIRECTORY to find the appropriate API name.
- PEB Process Environment Block
- the payload can re-implement GetProcAddress by manually parsing the module's IMAGE_EXPORT_DIRECTORY to find the appropriate API name.
- a common optimization is to replace the string comparison procedure with a hash comparison to reduce the number of required bytes in the shellcode. For example, NtAllocateVirtualMemory ⁇ 0 requires 24 bytes but a 32-bit hash, 0x55ee99de corresponding to same function only requires 4 bytes. This optimization has a side benefit of removing strings out of the payload which makes static analysis slightly more difficult.
- hashes can be computed via hashing algorithms that are fairly simplistic; however, there are numerous hash algorithms. Malicious actors will change hash algorithms or mutate existing ones to generate different hash values to avoid detection by known hash values.
- DLL files can be loaded into certain or all processes to generate hash collisions for the hash algorithm.
- CyNTFMIHYBLXA.dll can cause a hash collision with ntdll.dll
- CyKNPHDOJQHQZ.dll can cause a hash collision with kernel32.dll.
- Within these DLL files are a number of exports such as VCNYXPFBZQ which can cause a hash collision with NtAllocateVirtualMemory.
- strcmp terminates when it encounters the first character where the strings do not match while the hash algorithm must generate the hash of the entire string before it can compare it to the desired hash value.
- the current subject matter exploits this behavior by manipulating the module's export table in memory and installing a specially crafted export table entry which causes strcmp to terminate correctly but forces the hash algorithm into an exception condition by reading invalid memory.
- the trap as provided herein can include the following steps:
- strcmp will compare the requested API name against the values in the name page 210 AAAAAAA . . . AAAAA and terminate before reading the guard page 220 because there is no valid API name which consists of 4096 A's.
- the hash function attempts to calculate the hash value of the name, it reads the 4097th byte which is in the guard page 220 , causing the operating system to raise a memory access violation.
- the memory access violation can be caught, for example, with Vectored Exception Handling (VEH) and, in some cases, the corresponding program can be affirmatively terminated as opposed to being allowed to crash.
- VH Vectored Exception Handling
- RVAs relative virtual addresses
- the VEH can take an additional step to compare the faulting read address with the address of the guard page 220 and ignore all other exceptions (which should just cause a program crash).
- Hash-based application programming interface (API) importing can be prevented by allocating a name page and a guard page in memory.
- the name page and the guard page being associated with (i) an address of names array, (ii) an address of name ordinal array, and (iii) an address of functions array that are all generated by an operating system upon initiation of an application.
- the name page can then be filled with valid non-zero characters. Thereafter, protections on the guard page can be changed to no access.
- An entry is into the address of names array pointing to a relative virtual address corresponding to anywhere within the name page. Access to the guard page causes the requesting application to terminate.
- Related apparatus, systems, techniques and articles are also described.
- FIG. 3 is a diagram 300 illustrating for prevention of hash-based application programming interface (API) importing by allocating, at 310 , a name page and a guard page in memory.
- the name page and the guard page being associated with (i) an address of names array, (ii) an address of name ordinal array, and (iii) an address of functions array that are all generated by an operating system upon initiation of an application.
- the name page can then be filled, at 320 , with valid non-zero characters. Thereafter, at 330 , protections on the guard page can be changed to no access.
- An entry is inserted, at 340 , into the address of names array pointing to a relative virtual address corresponding to anywhere within the name page. Access to the guard page causes the requesting application to terminate.
- FIG. 4 is a diagram 400 illustrating a sample computing device architecture for implementing various aspects described herein.
- a bus 404 can serve as the information highway interconnecting the other illustrated components of the hardware.
- a processing system 408 labeled CPU (central processing unit) e.g., one or more computer processors/data processors at a given computer or at multiple computers
- CPU central processing unit
- a non-transitory processor-readable storage medium such as read only memory (ROM) 412 and random access memory (RAM) 416 , can be in communication with the processing system 408 and can include one or more programming instructions for the operations specified here.
- program instructions can be stored on a non-transitory computer-readable storage medium such as a magnetic disk, optical disk, recordable memory device, flash memory, or other physical storage medium.
- a disk controller 448 can interface with one or more optional disk drives to the system bus 404 .
- These disk drives can be external or internal floppy disk drives such as 460 , external or internal CD-ROM, CD-R, CD-RW or DVD, or solid state drives such as 452 , or external or internal hard drives 456 .
- these various disk drives 452 , 456 , 460 and disk controllers are optional devices.
- the system bus 404 can also include at least one communication port 420 to allow for communication with external devices either physically connected to the computing system or available externally through a wired or wireless network.
- the at least one communication port 420 includes or otherwise comprises a network interface.
- a computing device having a display device 440 (e.g., a CRT (cathode ray tube) or LCD (liquid crystal display) monitor) for displaying information obtained from the bus 404 via a display interface 414 to the user and an input device 432 such as keyboard and/or a pointing device (e.g., a mouse or a trackball) and/or a touchscreen by which the user can provide input to the computer.
- a display device 440 e.g., a CRT (cathode ray tube) or LCD (liquid crystal display) monitor
- an input device 432 such as keyboard and/or a pointing device (e.g., a mouse or a trackball) and/or a touchscreen by which the user can provide input to the computer.
- input devices 432 can be used to provide for interaction with a user as well; for example, feedback provided to the user can be any form of sensory feedback (e.g., visual feedback, auditory feedback by way of a microphone 436 , or tactile feedback); and input from the user can be received in any form, including acoustic, speech, or tactile input.
- the input device 432 and the microphone 436 can be coupled to and convey information via the bus 404 by way of an input device interface 428 .
- Other computing devices such as dedicated servers, can omit one or more of the display 440 and display interface 414 , the input device 432 , the microphone 436 , and input device interface 428 .
- One or more aspects or features of the subject matter described herein can be realized in digital electronic circuitry, integrated circuitry, specially designed application specific integrated circuits (ASICs), field programmable gate arrays (FPGAs) computer hardware, firmware, software, and/or combinations thereof.
- ASICs application specific integrated circuits
- FPGAs field programmable gate arrays
- These various aspects or features can include implementation in one or more computer programs that are executable and/or interpretable on a programmable system including at least one programmable processor, which can be special or general purpose, coupled to receive data and instructions from, and to transmit data and instructions to, a storage system, at least one input device, and at least one output device.
- the programmable system or computing system may include clients and servers.
- a client and server are generally remote from each other and typically interact through a communication network. The relationship of client and server arises by virtue of computer programs running on the respective computers and having a client-server relationship to each other.
- machine-readable signal refers to any signal used to provide machine instructions and/or data to a programmable processor.
- the machine-readable medium can store such machine instructions non-transitorily, such as for example as would a non-transient solid-state memory or a magnetic hard drive or any equivalent storage medium.
- the machine-readable medium can alternatively or additionally store such machine instructions in a transient manner, such as for example as would a processor cache or other random access memory associated with one or more physical processor cores.
- the subject matter described herein may be implemented on a computer having a display device (e.g., a CRT (cathode ray tube) or LCD (liquid crystal display) monitor) for displaying information to the user and a keyboard and a pointing device (e.g., a mouse or a trackball) and/or a touch screen by which the user may provide input to the computer.
- a display device e.g., a CRT (cathode ray tube) or LCD (liquid crystal display) monitor
- a keyboard and a pointing device e.g., a mouse or a trackball
- Other kinds of devices may be used to provide for interaction with a user as well; for example, feedback provided to the user may be any form of sensory feedback (e.g., visual feedback, auditory feedback, or tactile feedback); and input from the user may be received in any form, including acoustic, speech, or tactile input.
- phrases such as “at least one of” or “one or more of” may occur followed by a conjunctive list of elements or features.
- the term “and/or” may also occur in a list of two or more elements or features. Unless otherwise implicitly or explicitly contradicted by the context in which it is used, such a phrase is intended to mean any of the listed elements or features individually or any of the recited elements or features in combination with any of the other recited elements or features.
- the phrases “at least one of A and B;” “one or more of A and B;” and “A and/or B” are each intended to mean “A alone, B alone, or A and B together.”
- a similar interpretation is also intended for lists including three or more items.
- the phrases “at least one of A, B, and C;” “one or more of A, B, and C;” and “A, B, and/or C” are each intended to mean “A alone, B alone, C alone, A and B together, A and C together, B and C together, or A and B and C together.”
- use of the term “based on,” above and in the claims is intended to mean, “based at least in part on,” such that an unrecited feature or element is also permissible.
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Mathematical Physics (AREA)
- Computer Security & Cryptography (AREA)
- Storage Device Security (AREA)
Abstract
Hash-based application programming interface (API) importing can be prevented by allocating a name page and a guard page in memory. The name page and the guard page being associated with (i) an address of names array, (ii) an address of name ordinal array, and (iii) an address of functions array that are all generated by an operating system upon initiation of an application. The name page can then be filled with valid non-zero characters. Thereafter, protections on the guard page can be changed to no access. An entry is inserted into the address of names array pointing to a relative virtual address corresponding to anywhere within the name page. Access to the guard page causes the requesting application to terminate. Related apparatus, systems, techniques and articles are also described.
Description
The subject matter described herein relates to techniques for preventing malicious software associated with resolving the location of operating system application programming interfaces (API).
Microsoft WINDOWS provides an application programming interface (API) in the form of dynamic link libraries (DLLs). These DLLs are specified by the Portable Executable (PE) file format which provides metadata for the various API functions. Programs rely on the various APIs provided by Microsoft WINDOWS in order to provide useful functionality for the user.
Hash-based application programming interface (API) importing can be prevented by allocating a name page and a guard page in memory. The name page and the guard page being associated with (i) an address of names array, (ii) an address of name ordinal array, and (iii) an address of functions array that are all generated by an operating system upon initiation of an application. The name page can then be filled with valid non-zero characters. Thereafter, protections on the guard page can be changed to no access. An entry is inserted into the address of names array pointing to a relative virtual address corresponding to anywhere within the name page. Access to the guard page causes the requesting application to terminate. Related apparatus, systems, techniques and articles are also described.
The name page and the guard page can both initially be allocated with read write permissions.
The entry can be inserted into the address of names array is inserted at a beginning of the address of names array. Further, a new entry can be inserted at a beginning of the address of name ordinals array having any value.
The operating system can be, for example, MICROSOFT WINDOWS.
The name page and the guard page can be adjacent in the memory.
The filled name page can be arranged so as to not include a null terminator.
During runtime, a hash algorithm (or other algorithm) can traverse the address of names array until a pointer to the name page is selected. The hash algorithm can then first access the name page. Due to the name page being filled with values, the hash algorithm subsequently accesses the guard page after determining that the name page does not include a NULL byte signifying end of a string encapsulated therein.
A memory access violation can be raised when the guard page is accessed. A vectored exception handler can catch such a memory access violation and cause the program to terminate as opposed to crashing. The vectored exception handler can also be configured to ignore exceptions other than the memory access violation causing the program to crash.
In an interrelated aspect, a hash algorithm associated with a program traverses an address of names array until a pointer to a name page is selected. Thereafter, the hash algorithm initially access the name page. The hash algorithm subsequently access a corresponding guard page after determining that the name page does not include a NULL byte signifying end of a string encapsulated therein. The program is caused to terminate upon access of the guard page.
Non-transitory computer program products (i.e., physically embodied computer program products) are also described that store instructions, which when executed by one or more data processors of one or more computing systems, cause at least one data processor to perform operations herein. Similarly, computer systems are also described that may include one or more data processors and memory coupled to the one or more data processors. The memory may temporarily or permanently store instructions that cause at least one processor to perform one or more of the operations described herein. In addition, methods can be implemented by one or more data processors either within a single computing system or distributed among two or more computing systems. Such computing systems can be connected and can exchange data and/or commands or other instructions or the like via one or more connections, including but not limited to a connection over a network (e.g., the Internet, a wireless wide area network, a local area network, a wide area network, a wired network, or the like), via a direct connection between one or more of the multiple computing systems, etc.
The subject matter described herein provides many technical advantages. For example, the current subject matter helps thwart malicious actors from executing software which relies on hash-based importing of APIs.
The details of one or more variations of the subject matter described herein are set forth in the accompanying drawings and the description below. Other features and advantages of the subject matter described herein will be apparent from the description and drawings, and from the claims.
The current subject matter is directed to preventing malicious software associated with resolving the location of operating system APIs. In particular, the current subject matter is directed to preventing hash-based API importing. Imports, in this context, are functions that are called from other files (such as DLL files with the WINDOWS operating system).
With WINDOWS, a compiler toolchain and a WINDOWS loader runtime work together to connect a program to the appropriate API calls as specified by the developer. These connections can be resolved at program start time via the WINDOWS loader parsing the program's import table or resolved dynamically at runtime via calls (e.g., calls to LoadLibrary and GetProcAddress both of which are APIs that and must be resolved at program start time).
As an example, a program that wants to allocate dynamic memory (heap) must call the VirtualAlloc API provided by kernel32.dll. In a traditional program, the program contains an import table entry for VirtualAlloc which will be filled in with the correct address when the process initializes and the code merely references the offset of the import table in memory when calling the API. The alternative is to call GetProcAddress (hKernel32, “VirtualAlloc”) at runtime to get the address and subsequently call it as normal (in this case, GetProcAddress was initialized in the import table by the process loader).
The process for resolving APIs in both the import table method (process loader) and dynamic resolution method (GetProcAddress) rely on common code implemented in LdrGetProcedureAddress to identify the correct export and find the corresponding address. For a requested API function (e.g. NtLockVirtualMemory), the code walks down the AddressOfNames array (which contains relative virtual addresses to API names) and compares the string to the requested API function name. The string comparison (strcmp) (as provided below) compares the function name a single character at a time until it reaches the end of string. If any character differs along the way, the function terminates immediately instead of continuing the comparison on the rest of the string (which would be a waste of computation cycles/processing resources, etc.).
One example strcmp implementation is as follows:
-
- int strcmp (char* s1, char* s2)
- {
- for (; *s1==*s2, ++s1, ++s2)
- if (*s1==0)
- return 0;
- if (*s1==0)
- return *s1>*s2? −−1:1;
- for (; *s1==*s2, ++s1, ++s2)
- }
If strcmp indicates the string is a match, the corresponding offset in the AddressOfNameOrdinal array is referenced to get the corresponding index into the AddressOfFunctions array. In diagram 100 of FIG. 1 , NtLockVirtualMemory is in index 0xCE of the AddressOfNames and AddressOfNameOrdinals array; the value stored in the AddressOfNameOrdinals entry is 0x03 indicating the relative virtual address (RVA) of NtLockVirtualMemory is in the 3rd entry of the AddressOfFunctions array. This RVA is added to the base address of the module to get the absolute address of the function.
Exploit payloads (shellcode) do not have an import table and malicious executables avoid import table entries in an attempt to obfuscate their behavior and evade static analysis. Instead, malicious executables must manually re-implement the same behavior: GetModuleHandle is re-implemented by parsing the Process Environment Block (PEB) and dereferencing the structure PEB.Ldr.InMemoryOrderModuleList to get the first loaded module (and walk the doubly-linked list by following the Flink pointer to get the next module); with the address of the module, the payload can re-implement GetProcAddress by manually parsing the module's IMAGE_EXPORT_DIRECTORY to find the appropriate API name.
A common optimization is to replace the string comparison procedure with a hash comparison to reduce the number of required bytes in the shellcode. For example, NtAllocateVirtualMemory\0 requires 24 bytes but a 32-bit hash, 0x55ee99de corresponding to same function only requires 4 bytes. This optimization has a side benefit of removing strings out of the payload which makes static analysis slightly more difficult.
Such hashes can be computed via hashing algorithms that are fairly simplistic; however, there are numerous hash algorithms. Malicious actors will change hash algorithms or mutate existing ones to generate different hash values to avoid detection by known hash values.
With the current subject matter, specially crafted DLL files can be loaded into certain or all processes to generate hash collisions for the hash algorithm. As an example, CyNTFMIHYBLXA.dll can cause a hash collision with ntdll.dll and CyKNPHDOJQHQZ.dll can cause a hash collision with kernel32.dll. Within these DLL files are a number of exports such as VCNYXPFBZQ which can cause a hash collision with NtAllocateVirtualMemory. These two DLLs allow for the catching of any exploit payloads or malicious programs which rely on the specific hash algorithm as provided below.
-
- unsigned int hash(char* s1)
- {
- unsigned int h=0;
- do
- {
- h=_rotr(h, 13)
- h+=*c;
- } while (*++c);
- return h;
- }
Such an approach is effective at stopping Metasploit's meterpreter payload and any other tool which relies on Stephen Fewer's Reflective DLL Injection technique but misses other payloads which use different hashing algorithms. The current subject matter provides protection against other hash algorithms.
There is a subtle difference in how the memory (where the function name is stored) is accessed between the standard strcmp and hash algorithms. The strcmp algorithm terminates when it encounters the first character where the strings do not match while the hash algorithm must generate the hash of the entire string before it can compare it to the desired hash value. The current subject matter exploits this behavior by manipulating the module's export table in memory and installing a specially crafted export table entry which causes strcmp to terminate correctly but forces the hash algorithm into an exception condition by reading invalid memory.
The trap as provided herein can include the following steps:
1. Allocate two adjacent memory pages with PAGE_READWRITE permissions ( pages 210, 220 in diagram 200 of FIG. 2 ).
2. Fill a first page 210 with any non-zero value, e.g. AAAAAAAAAA (4096 A's) and do NOT include a NULL terminator, creating a “name page”.
3. Change the protections on the second page 220 to PAGE_NOACCESS, creating a “guard page” (represented with a “No Access” symbol in FIG. 2 ).
4. Insert a new entry at the beginning of the AddressOfNames array with the relative virtual address to the name page 210.
5. Insert a new entry at the beginning of the AddressOfNameOrdinals array and give it any value.
Under normal operation, strcmp will compare the requested API name against the values in the name page 210 AAAAAAA . . . AAAAA and terminate before reading the guard page 220 because there is no valid API name which consists of 4096 A's. When the hash function attempts to calculate the hash value of the name, it reads the 4097th byte which is in the guard page 220, causing the operating system to raise a memory access violation. The memory access violation can be caught, for example, with Vectored Exception Handling (VEH) and, in some cases, the corresponding program can be affirmatively terminated as opposed to being allowed to crash.
The current approach extends generically to all hashing algorithms because it exploits how hash calculations are performed: they run until it finds a NULL byte (a byte with the value of 0) signifying the end of the string.
When being implemented, one detail to consider is the fact that relative virtual addresses (RVAs) can only be positive deltas because they are unsigned integers. Therefore, the name page 210 and the guard page 220 need to be allocated in a memory address higher than the module address.
The VEH can take an additional step to compare the faulting read address with the address of the guard page 220 and ignore all other exceptions (which should just cause a program crash).
Hash-based application programming interface (API) importing can be prevented by allocating a name page and a guard page in memory. The name page and the guard page being associated with (i) an address of names array, (ii) an address of name ordinal array, and (iii) an address of functions array that are all generated by an operating system upon initiation of an application. The name page can then be filled with valid non-zero characters. Thereafter, protections on the guard page can be changed to no access. An entry is into the address of names array pointing to a relative virtual address corresponding to anywhere within the name page. Access to the guard page causes the requesting application to terminate. Related apparatus, systems, techniques and articles are also described.
In one example, a disk controller 448 can interface with one or more optional disk drives to the system bus 404. These disk drives can be external or internal floppy disk drives such as 460, external or internal CD-ROM, CD-R, CD-RW or DVD, or solid state drives such as 452, or external or internal hard drives 456. As indicated previously, these various disk drives 452, 456, 460 and disk controllers are optional devices. The system bus 404 can also include at least one communication port 420 to allow for communication with external devices either physically connected to the computing system or available externally through a wired or wireless network. In some cases, the at least one communication port 420 includes or otherwise comprises a network interface.
To provide for interaction with a user, the subject matter described herein can be implemented on a computing device having a display device 440 (e.g., a CRT (cathode ray tube) or LCD (liquid crystal display) monitor) for displaying information obtained from the bus 404 via a display interface 414 to the user and an input device 432 such as keyboard and/or a pointing device (e.g., a mouse or a trackball) and/or a touchscreen by which the user can provide input to the computer. Other kinds of input devices 432 can be used to provide for interaction with a user as well; for example, feedback provided to the user can be any form of sensory feedback (e.g., visual feedback, auditory feedback by way of a microphone 436, or tactile feedback); and input from the user can be received in any form, including acoustic, speech, or tactile input. The input device 432 and the microphone 436 can be coupled to and convey information via the bus 404 by way of an input device interface 428. Other computing devices, such as dedicated servers, can omit one or more of the display 440 and display interface 414, the input device 432, the microphone 436, and input device interface 428.
One or more aspects or features of the subject matter described herein can be realized in digital electronic circuitry, integrated circuitry, specially designed application specific integrated circuits (ASICs), field programmable gate arrays (FPGAs) computer hardware, firmware, software, and/or combinations thereof. These various aspects or features can include implementation in one or more computer programs that are executable and/or interpretable on a programmable system including at least one programmable processor, which can be special or general purpose, coupled to receive data and instructions from, and to transmit data and instructions to, a storage system, at least one input device, and at least one output device. The programmable system or computing system may include clients and servers. A client and server are generally remote from each other and typically interact through a communication network. The relationship of client and server arises by virtue of computer programs running on the respective computers and having a client-server relationship to each other.
These computer programs, which can also be referred to as programs, software, software applications, applications, components, or code, include machine instructions for a programmable processor, and can be implemented in a high-level procedural language, an object-oriented programming language, a functional programming language, a logical programming language, and/or in assembly/machine language. As used herein, the term “machine-readable medium” refers to any computer program product, apparatus and/or device, such as for example magnetic discs, optical disks, memory, and Programmable Logic Devices (PLDs), used to provide machine instructions and/or data to a programmable processor, including a machine-readable medium that receives machine instructions as a machine-readable signal. The term “machine-readable signal” refers to any signal used to provide machine instructions and/or data to a programmable processor. The machine-readable medium can store such machine instructions non-transitorily, such as for example as would a non-transient solid-state memory or a magnetic hard drive or any equivalent storage medium. The machine-readable medium can alternatively or additionally store such machine instructions in a transient manner, such as for example as would a processor cache or other random access memory associated with one or more physical processor cores.
To provide for interaction with a user, the subject matter described herein may be implemented on a computer having a display device (e.g., a CRT (cathode ray tube) or LCD (liquid crystal display) monitor) for displaying information to the user and a keyboard and a pointing device (e.g., a mouse or a trackball) and/or a touch screen by which the user may provide input to the computer. Other kinds of devices may be used to provide for interaction with a user as well; for example, feedback provided to the user may be any form of sensory feedback (e.g., visual feedback, auditory feedback, or tactile feedback); and input from the user may be received in any form, including acoustic, speech, or tactile input.
In the descriptions above and in the claims, phrases such as “at least one of” or “one or more of” may occur followed by a conjunctive list of elements or features. The term “and/or” may also occur in a list of two or more elements or features. Unless otherwise implicitly or explicitly contradicted by the context in which it is used, such a phrase is intended to mean any of the listed elements or features individually or any of the recited elements or features in combination with any of the other recited elements or features. For example, the phrases “at least one of A and B;” “one or more of A and B;” and “A and/or B” are each intended to mean “A alone, B alone, or A and B together.” A similar interpretation is also intended for lists including three or more items. For example, the phrases “at least one of A, B, and C;” “one or more of A, B, and C;” and “A, B, and/or C” are each intended to mean “A alone, B alone, C alone, A and B together, A and C together, B and C together, or A and B and C together.” In addition, use of the term “based on,” above and in the claims is intended to mean, “based at least in part on,” such that an unrecited feature or element is also permissible.
The subject matter described herein can be embodied in systems, apparatus, methods, and/or articles depending on the desired configuration. The implementations set forth in the foregoing description do not represent all implementations consistent with the subject matter described herein. Instead, they are merely some examples consistent with aspects related to the described subject matter. Although a few variations have been described in detail above, other modifications or additions are possible. In particular, further features and/or variations can be provided in addition to those set forth herein. For example, the implementations described above can be directed to various combinations and subcombinations of the disclosed features and/or combinations and subcombinations of several further features disclosed above. In addition, the logic flows depicted in the accompanying figures and/or described herein do not necessarily require the particular order shown, or sequential order, to achieve desirable results. Other implementations may be within the scope of the following claims.
Claims (20)
1. A method for preventing a hash-based application programming interface (API) importing comprising:
allocating a name page and a guard page in memory, the name page and the guard page being associated with (i) an address of names array, (ii) an address of name ordinal array, and (iii) an address of functions array that are all generated by an operating system upon initiation of an application;
filling the name page with valid non-zero characters;
changing protections on the guard page to no access; and
inserting an entry into the address of names array pointing to a relative virtual address corresponding to anywhere within the name page.
2. The method of claim 1 , wherein the name page and the guard page are both initially allocated with read write permissions.
3. The method of claim 1 , wherein the entry inserted into the address of names array is inserted at a beginning of the address of names array.
4. The method of claim 3 further comprising:
inserting a new entry at a beginning of the address of name ordinals array having any value.
5. The method of claim 1 , wherein the operating system is MICROSOFT WINDOWS.
6. The method of claim 1 , wherein the name page and the guard page are adjacent in the memory.
7. The method of claim 1 , wherein the filled name page does not include a null terminator.
8. The method of claim 1 further comprising:
traversing, by a hash algorithm, the address of names array until a pointer to the name page is selected;
initially accessing, by the hash algorithm, the name page;
subsequently accessing, by the hash algorithm, the guard page after determining that the name page does not include a NULL byte signifying end of a string encapsulated therein.
9. The method of claim 1 further comprising:
raising a memory access violation when the guard page is accessed.
10. The method of claim 9 further comprising:
catching, by a vectored exception handler, the memory access violation; and
causing the program to affirmatively terminate rather than crash.
11. The method of claim 10 further comprising:
ignoring, by the vectored exception handler, exceptions other than the memory access violation causing the program to crash.
12. A system for preventing a hash-based application programming interface (API) importing, the system comprising:
at least one data processor; and
memory storing instructions which, when executed by the at least one data processor, result in operations comprising:
allocating a name page and a guard page in memory, the name page and the guard page being associated with (i) an address of names array, (ii) an address of name ordinal array, and (iii) an address of functions array that are all generated by an operating system upon initiation of an application;
filling the name page with valid non-zero characters;
changing protections on the guard page to no access; and
inserting an entry into the address of names array pointing to a relative virtual address corresponding to anywhere within the name page.
13. The system of claim 12 , wherein the name page and the guard page are both initially allocated with read write permissions.
14. The system of claim 12 , wherein the entry inserted into the address of names array is inserted at a beginning of the address of names array; and wherein the operations further comprise:
inserting a new entry at a beginning of the address of name ordinals array having any value.
15. The system of claim 12 , wherein the operating system is MICROSOFT WINDOWS.
16. The system of claim 12 , wherein the name page and the guard page are adjacent in the memory.
17. The system of claim 12 , wherein the filled name page does not include a null terminator.
18. The system of claim 12 , wherein the operations further comprise:
traversing, by a hash algorithm, the address of names array until a pointer to the name page is selected;
initially accessing, by the hash algorithm, the name page;
subsequently accessing, by the hash algorithm, the guard page after determining that the name page does not include a NULL byte signifying end of a string encapsulated therein.
19. The system of claim 12 , wherein the operations further comprise:
raising a memory access violation when the guard page is accessed;
catching, by a vectored exception handler, the memory access violation;
causing the program to affirmatively terminate rather than crash; and
ignoring, by the vectored exception handler, exceptions other than the memory access violation causing the program to crash.
20. A method comprising:
traversing, by a hash algorithm associated with a program, an address of names array until a pointer to a name page is selected;
initially accessing, by the hash algorithm, the name page;
subsequently accessing, by the hash algorithm, a corresponding guard page after determining that the name page does not include a NULL byte signifying end of a string encapsulated therein;
causing the program to terminate upon access of the guard page.
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US16/516,827 US10909042B1 (en) | 2019-07-19 | 2019-07-19 | Prevention of hash-based API importing |
US16/953,154 US11403231B2 (en) | 2019-07-19 | 2020-11-19 | Prevention of hash-based API importing |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US16/516,827 US10909042B1 (en) | 2019-07-19 | 2019-07-19 | Prevention of hash-based API importing |
Related Child Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US16/953,154 Continuation US11403231B2 (en) | 2019-07-19 | 2020-11-19 | Prevention of hash-based API importing |
Publications (2)
Publication Number | Publication Date |
---|---|
US20210019266A1 US20210019266A1 (en) | 2021-01-21 |
US10909042B1 true US10909042B1 (en) | 2021-02-02 |
Family
ID=74260685
Family Applications (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US16/516,827 Active US10909042B1 (en) | 2019-07-19 | 2019-07-19 | Prevention of hash-based API importing |
US16/953,154 Active 2039-09-29 US11403231B2 (en) | 2019-07-19 | 2020-11-19 | Prevention of hash-based API importing |
Family Applications After (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US16/953,154 Active 2039-09-29 US11403231B2 (en) | 2019-07-19 | 2020-11-19 | Prevention of hash-based API importing |
Country Status (1)
Country | Link |
---|---|
US (2) | US10909042B1 (en) |
Families Citing this family (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US11636197B2 (en) * | 2018-11-15 | 2023-04-25 | Webroot, Inc. | Selective import/export address table filtering |
Citations (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5088026A (en) * | 1990-02-09 | 1992-02-11 | International Business Machines Corporation | Method for managing a data cache using virtual external storage addresses as arguments |
US5463724A (en) * | 1992-04-08 | 1995-10-31 | Borland International, Inc. | System and methods for improved spreadsheet interface with user-familiar objects |
US6253258B1 (en) * | 1995-08-23 | 2001-06-26 | Symantec Corporation | Subclassing system for computer that operates with portable-executable (PE) modules |
US20080046738A1 (en) * | 2006-08-04 | 2008-02-21 | Yahoo! Inc. | Anti-phishing agent |
US20110219208A1 (en) * | 2010-01-08 | 2011-09-08 | International Business Machines Corporation | Multi-petascale highly efficient parallel supercomputer |
US9390261B2 (en) * | 2006-06-23 | 2016-07-12 | Microsoft Technology Licensing, Llc | Securing software by enforcing data flow integrity |
US9904792B1 (en) * | 2012-09-27 | 2018-02-27 | Palo Alto Networks, Inc | Inhibition of heap-spray attacks |
US20190146803A1 (en) * | 2017-11-14 | 2019-05-16 | TidalScale, Inc. | Fast boot |
US20190247718A1 (en) * | 2018-02-10 | 2019-08-15 | Garrett James BLEVINS | Computer implemented methods and systems for automated coaching and distribution of fitness plans |
US10650141B2 (en) * | 2016-08-03 | 2020-05-12 | Sophos Limited | Mitigation of return-oriented programming attacks |
Family Cites Families (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5950221A (en) * | 1997-02-06 | 1999-09-07 | Microsoft Corporation | Variably-sized kernel memory stacks |
CN109857677B (en) * | 2018-12-28 | 2023-03-31 | 晶晨半导体(上海)股份有限公司 | Distribution method and device of kernel stack |
-
2019
- 2019-07-19 US US16/516,827 patent/US10909042B1/en active Active
-
2020
- 2020-11-19 US US16/953,154 patent/US11403231B2/en active Active
Patent Citations (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5088026A (en) * | 1990-02-09 | 1992-02-11 | International Business Machines Corporation | Method for managing a data cache using virtual external storage addresses as arguments |
US5463724A (en) * | 1992-04-08 | 1995-10-31 | Borland International, Inc. | System and methods for improved spreadsheet interface with user-familiar objects |
US6253258B1 (en) * | 1995-08-23 | 2001-06-26 | Symantec Corporation | Subclassing system for computer that operates with portable-executable (PE) modules |
US9390261B2 (en) * | 2006-06-23 | 2016-07-12 | Microsoft Technology Licensing, Llc | Securing software by enforcing data flow integrity |
US20080046738A1 (en) * | 2006-08-04 | 2008-02-21 | Yahoo! Inc. | Anti-phishing agent |
US20110219208A1 (en) * | 2010-01-08 | 2011-09-08 | International Business Machines Corporation | Multi-petascale highly efficient parallel supercomputer |
US9904792B1 (en) * | 2012-09-27 | 2018-02-27 | Palo Alto Networks, Inc | Inhibition of heap-spray attacks |
US10650141B2 (en) * | 2016-08-03 | 2020-05-12 | Sophos Limited | Mitigation of return-oriented programming attacks |
US20190146803A1 (en) * | 2017-11-14 | 2019-05-16 | TidalScale, Inc. | Fast boot |
US20190247718A1 (en) * | 2018-02-10 | 2019-08-15 | Garrett James BLEVINS | Computer implemented methods and systems for automated coaching and distribution of fitness plans |
Also Published As
Publication number | Publication date |
---|---|
US20210073142A1 (en) | 2021-03-11 |
US20210019266A1 (en) | 2021-01-21 |
US11403231B2 (en) | 2022-08-02 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11188650B2 (en) | Detection of malware using feature hashing | |
US9858417B2 (en) | Detecting malicious computer code in an executing program module | |
US10284591B2 (en) | Detecting and preventing execution of software exploits | |
US10528735B2 (en) | Malicious code protection for computer systems based on process modification | |
JP5602597B2 (en) | Method, computer program, and system for memory optimization of virtual machine code by segmenting foreign information | |
US8281393B2 (en) | Method and system for detecting windows rootkit that modifies the kernel mode system service dispatch table | |
US8943592B1 (en) | Methods of detection of software exploitation | |
US9135443B2 (en) | Identifying malicious threads | |
US9852052B2 (en) | Trusted execution of called function | |
US9197446B2 (en) | Address pinning | |
US20170249459A1 (en) | Sub-execution environment controller | |
US8645667B2 (en) | Operating system management of address-translation-related data structures and hardware lookasides | |
US20160134652A1 (en) | Method for recognizing disguised malicious document | |
US11403231B2 (en) | Prevention of hash-based API importing | |
WO2019005406A1 (en) | Accelerated code injection detection using operating system controlled memory attributes | |
US11416614B2 (en) | Statistical detection of firmware-level compromises | |
CN106372508B (en) | Malicious document processing method and device | |
US11809881B2 (en) | Target process injection prior to execution of marker libraries | |
EP4310707A1 (en) | System and method for detecting malicious code by an interpreter in a computing device | |
WO2022248920A1 (en) | Java deserialization exploit attack detection | |
CN115391781A (en) | Malicious attack identification method, system, device and storage medium |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AS | Assignment |
Owner name: CYLANCE INC., CALIFORNIA Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:TANG, JEFFREY;REEL/FRAME:049808/0996 Effective date: 20190718 |
|
FEPP | Fee payment procedure |
Free format text: ENTITY STATUS SET TO UNDISCOUNTED (ORIGINAL EVENT CODE: BIG.); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY |
|
STCF | Information on status: patent grant |
Free format text: PATENTED CASE |